The VECT Ransomware's Fatal Flaw: 7 Shocking Details Behind Its Accidental Wiper
Check Point Research has uncovered a critical design failure in the VECT 2.0 ransomware that renders it an accidental data wiper for most files above 128 KB. What was marketed as a ransomware-as-a-service tool with partnerships and cross-platform support actually permanently destroys large files due to a nonce-handling bug. Here are seven crucial facts about this flawed operation.
1. The Flaw That Turns Ransomware Into a Wiper
VECT 2.0’s encryption implementation contains a fatal mistake: for any file exceeding 131,072 bytes (128 KB), three out of four decryption nonces are discarded. Without these nonces, even the attacker cannot recover the original data. This means that virtually all meaningful files—virtual machine disks, databases, documents, backups—are permanently destroyed rather than encrypted. The threshold of just 128 KB makes VECT effectively a wiper for any asset containing substantial data. This flaw exists across all publicly available versions and platforms.
2. Misidentified Cipher: No Authentication, No Integrity
Several threat intelligence reports and VECT’s own advertisements claimed it uses ChaCha20-Poly1305 AEAD encryption. In reality, VECT employs raw ChaCha20-IETF (RFC 8439) with no authentication at all. There is no Poly1305 MAC, leaving encrypted data with zero integrity protection. This misidentification could lead defenders to assume file corruption is detectable, when in fact no such verification exists. The absence of authentication also means attackers have no way to confirm successful decryption, compounding the recovery impossibility.
3. Advertised Speed Modes: Ignored at Runtime
VECT’s Linux and ESXi variants include --fast, --medium, and --secure command-line flags ostensibly to control encryption speed. However, these flags are parsed and then completely ignored. Every execution applies identical hardcoded thresholds regardless of the operator’s selection. This suggests either incomplete development or a deliberate ruse to appear professional. The result is that affiliates cannot fine-tune performance, and the ransomware behaves identically in all scenarios—further evidence of amateur engineering.
4. One Codebase Across Three Platforms
Windows, Linux, and ESXi variants of VECT share an identical encryption engine built on libsodium. The same file-size thresholds, the same four-chunk encryption logic, and the same nonce-handling flaw appear in every variant. This consistency confirms that VECT is a single codebase ported across platforms rather than individually developed binaries. For defenders, this means a single signature or detection method can protect all three environments. For attackers, it means any fix applied must be ported manually, increasing the risk of cross-platform inconsistencies.
5. Amateur Implementation: Bugs and Design Failures
Beyond the critical nonce flaw, Check Point Research identified multiple additional bugs. Self-cancelling string obfuscation makes some anti-analysis routines permanently unreachable. A thread scheduler intended to improve encryption performance actually degrades it, due to poor synchronization. These issues paint a picture of a group that rushed development, possibly copying code from open-source projects without understanding core logic. The ransomware’s professional marketing facade crumbles under technical scrutiny, revealing a tool built by developers with limited cryptographic expertise.
6. Ransomware-as-a-Service: A Short History
VECT first appeared on a Russian-language cybercrime forum in December 2025. After claiming two victims in January 2026, it gained notoriety through a March 2026 partnership with TeamPCP, the group behind supply-chain attacks on popular software like Trivy, Checkmarx’s KICS, LiteLLM, and Telnyx. These attacks compromised downstream users, and VECT announced on BreachForums its intention to exploit those affected companies. This RaaS model allowed any registered forum user to become an affiliate, using VECT’s encryption, negotiation platform, and leak site—a low bar to entry for cybercriminals.
7. Partnership with TeamPCP and BreachForums
VECT publicly announced alliances with both TeamPCP and BreachForums. The TeamPCP partnership aimed to leverage the supply-chain breaches for ransomware deployment, potentially hitting organizations already infiltrated. Additionally, VECT promised every BreachForums registered user affiliate status, essentially democratizing ransomware operations. This move lowered the barrier to entry for novice actors, giving them access to a full-fledged RaaS platform. However, given the encryption flaw, affiliates unknowingly become data wipers rather than ransomware operators, facing potential legal consequences without the ability to deliver data recovery.
The VECT ransomware saga exposes a critical lesson: even sophisticated marketing cannot hide fundamental cryptographic errors. What appears to be a professional RaaS program is, under the hood, a broken tool that destroys data it promises to hold for ransom. Organizations should monitor for VECT indicators and patch any systems vulnerable to supply-chain attacks exploited by its partners.